\section{Misuse cases}

\subsection{Task B}

\begin{enumerate}
\def\labelenumi{\arabic{enumi}.}
\itemsep1pt\parskip0pt\parsep0pt
\item
  Covered: All data is encrypted with the customer's PIN.
\item
  Covered: All data is encrypted with the customer's PIN.
\item
  Covered: All data is encrypted with the customer's PIN.
\item
  Covered: The PIN used for encryption is only known by the customer. It
  isn't stored anywhere.
\item
  Covered: The PIN used for encryption is only known by the customer. It
  isn't stored anywhere.
\end{enumerate}

\subsection{Task C}

\begin{enumerate}
\def\labelenumi{\arabic{enumi}.}
\itemsep1pt\parskip0pt\parsep0pt
\item
  Covered: The load balancer acts as a firewall. Only HTTP traffic to
  and from known devices is forwarded.
\item
  Covered: The replicated web servers are not exposed to the internet.
  They're only accessible through the firewall.
\item
  Covered: The transaction store is not exposed to the internet. It's
  only accessible through the firewall.
\item
  Covered: The load balancer acts as a firewall. Only HTTP traffic to
  and from known devices is forwarded.
\item
  Not covered: There is no firewall on the external communication node,
  which is connected to sensitive components.
\end{enumerate}

\subsection{Task D}

\begin{enumerate}
\def\labelenumi{\arabic{enumi}.}
\itemsep1pt\parskip0pt\parsep0pt
\item
  Not covered: We did not mention that the token needs to be unique for
  each customer and each session.
\item
  Not covered: We did not mention that the tokens need to be hard to
  guess.
\item
  Not covered: We did not mention that the token needs to be unique for
  each customer and each session. However, this is because of the same
  problem as with MUC D.1. Tokens are guaranteed to be unique per
  server. This is managed by the load balancer that distributes sessions instead of requests.
\item
  Covered: Tokens are stored securely. They cannot be altered.
\item
  Covered: When a user's session ends, the token is invalidated and
  removed from the CustomerSession component.
\end{enumerate}

\subsection{Task E}

\begin{enumerate}
\def\labelenumi{\arabic{enumi}.}
\itemsep1pt\parskip0pt\parsep0pt
\item
  Covered: All employee actions are audited and stored in the
  SecureLogStorage.
\item
  Covered: All employee actions are audited and stored in the
  SecureLogStorage.
\item
  Covered: All employee actions are audited and stored in the
  SecureLogStorage.
\item
  Covered: The SecureLogStorage is secure. It can only be accessed with
  LogAction and ReadLog; the data can't be altered.
\item
  Not covered: We did not specify what happens when the auditing system
  goes down. Employees should not be able to perform actions when the
  system is down. The auditing system should thus have some important
  availability requirements.
\end{enumerate}

\subsection{Task F}

\begin{enumerate}
\def\labelenumi{\arabic{enumi}.}
\itemsep1pt\parskip0pt\parsep0pt
\item
  Covered: CustomerAuthenticationAuthorizationEnforcer denies a
  customer's transaction request when the source account does not belong
  to them.
\item
  Covered: MobileAuthenticationAuthorizationEnforcer denies a customer's
  transaction request when the source account does not belong to them.
\item
  Covered: The AuthenticationAuthorizationEnforcers deny a customer's
  history request when the selected account does not belong to them.
\item
  Not covered: We did not mention that we should escape web requests so
  no SQL queries are executed.
\item
  Covered: MobileAuthenticationAuthorizationEnforcer denies a customer's
  transaction request when the destination account is not in their list.
\end{enumerate}

\subsection{Task G}

\begin{enumerate}
\def\labelenumi{\arabic{enumi}.}
\itemsep1pt\parskip0pt\parsep0pt
\item
  Covered: End to end cryptography is provided to hide all transmitted
  data.
\item
  Covered: End to end cryptography is provided to protect all
  transmitted data from tampering.
\item
  Not covered: We did not mention how keys are handled. They should be
  transmitted one time in a secure way (e.g. at the office or
  over SMS) and securely stored.
\item
  Not covered: We did not mention how keys are handled. They should be
  stored securely on both ends (e.g., hidden from the internet on SAB's
  side and secured with the PIN on the customer's side).
\item
  Not covered: We did not mention which protocol should be used. It's
  preferred to use an open standard managed by a third party, such as
  TLS.
\end{enumerate}
